More than $300,000 was handed out in GCP prize money during 2021
Ethical hackers have earned more than $300,000 after uncovering a variety of flaws in Google Cloud Platform (GCP).
The top seven responsibly disclosed vulnerabilities that qualified under GCP’s Vulnerability Rewards Program (VRP) last year scooped a total of $313,337, with the winner taking away $133,337.
Google said the GCP VRP – which began in 2019 – shows that many talented security researchers are getting involved in improving cloud security by uncovering vulnerabilities that might have otherwise gone undetected.
The amount awarded represents a sizeable fraction of the $8.7 million awarded by Google across its complete range of vulnerability disclosure programs.
I’m IAP, hope you’re API too
The first prize, and an award of $133,337, went to security researcher Sebastian Lutz for discovering a bug in in Identity-Aware Proxy (IAP) that offered a way for an attacker to access IAP-protected resources.
The flaw meant that if an attacker tricked a prospective victim into visiting a URL that was under their control, they would be able to steal their IAP authentication token, as explained in greater depth in a technical blog post.
Does not compute
Hungarian researcher Imre Rad earned a second prize of $73,331 after uncovering a mechanism to take over a Google Compute Engine virtual machine.
The hack relied on sending malicious Dynamic Host Configuration Protocol (DHCP) packets to the virtual machine in order to spoof the Google Compute Engine metadata server.
As explained in a technical write-up by Rad on Github, the flaw and associated attacks were first reported to Google in September 2020.
A protracted disclosure process followed, and its was only after Rad went public with his findings in June 2021 that Google fixed the issue a month later.
Going with the dataflow
Third spot in the 2021 edition of the GCP VRP stakes – along with a prize of $73,331 – went to security researcher Mike Brancato for the discovery and disclosure of a remote code execution (RCE) vulnerability in Google Cloud Dataflow.
Brancato discovered that Dataflow nodes were exposing an unauthenticated Java JMX port, a security weakness that made it possible to run arbitrary commends on the virtual machine, as explained in a technical blog post.
The impact of the vulnerability depends on which service account is assigned to Dataflow worker nodes, Brancato told The Daily Swig.
The researcher explained: “By default that is the Google Compute Engine default service account, which has the project-wide Editor role assigned. The Editor role has a lot of permissions to create and destroy resources - it is part of the ‘basic roles’ that Google doesn’t recommend using because they provide broad permissions.”
They added: “The vulnerability is easily exploitable with existing tools like Metasploit,” provided an attacker identifies an open firewall port that exposed a vulnerable system to potential attack.
The security researcher has been working in cloud security since 2017 and bug bounty hunting has become a natural extension to their regular work.
“As part of my exposure to cloud APIs and my background, I started to identify systems that appear interesting and may be vulnerable to attack,” Brancato concluded.
The Daily Swig also invited Lutz and Rad to comment on their respective research, as well as asking Google how it would like to improve cloud-focused elements of its bug bounty program.